F5 Networks has disclosed a new HTTP/2 vulnerability affecting multiple BIG-IP products that could allow remote attackers to launch denial-of-service attacks against corporate networks.
The security flaw, designated CVE-2025-54500 and dubbed the “HTTP/2 MadeYouReset Attack,” was published on August 13, 2025, with updates released on August 15.
The vulnerability exploits malformed HTTP/2 control frames to overwhelm systems and has been assigned a medium severity rating with CVSS scores of 5.3 (v3.1) and 6.9 (v4.0).
HTTP/2 Protocol Exploit Uncovered
The newly discovered vulnerability represents a significant implementation flaw in how F5 products handle HTTP/2 communications.
Security researchers have identified that attackers can manipulate malformed HTTP/2 control frames to break the maximum concurrent streams limit, effectively bypassing built-in protocol safeguards.
The attack method allows remote, unauthenticated attackers to cause substantial increases in CPU usage, potentially leading to complete denial of service on affected BIG-IP systems.
Key characteristics of this vulnerability include:
- Attack Type: HTTP/2 MadeYouReset Attack using malformed control frames.
- Authentication Required: None – remote, unauthenticated exploitation possible.
- Primary Impact: CPU resource exhaustion leading to denial of service.
- Classification: CWE-770 (Allocation of Resources Without Limits or Throttling).
- Exposure Level: Data plane only, no control plane compromise.
- F5 Internal IDs: 1937817 (BIG-IP), 1937817-5 (BIG-IP Next), 1937817-6 (Next SPK/CNF/K8s).
What makes this vulnerability particularly concerning is its classification under CWE-770: Allocation of Resources Without Limits or Throttling, indicating that the attack exploits systems’ inability to properly manage resource allocation.
Importantly, this is classified as a data plane issue only, meaning there is no control plane exposure, which limits the potential for more severe system compromises.
F5 Products Widely Affected
The vulnerability affects an extensive range of F5 products, with BIG-IP systems bearing the brunt of the impact. Vulnerable versions include BIG-IP 17.x (versions 17.5.0-17.5.1 and 17.1.0-17.1.2), BIG-IP 16.x (versions 16.1.0-16.1.6), and BIG-IP 15.x (versions 15.1.0-15.1.10).
F5 has released engineering hotfixes for the 17.x and 16.x branches, specifically Hotfix-BIGIP-17.5.1.0.80.7-ENG.iso and Hotfix-BIGIP-17.1.2.2.0.259.12-ENG.iso for the 17.x series, and Hotfix-BIGIP-16.1.6.0.27.3-ENG.iso for the 16.x series.
BIG-IP Next products are also affected, including versions 20.3.0 and various SPK, CNF, and Kubernetes implementations.
However, several F5 products remain unaffected, including BIG-IQ Centralized Management, F5 Distributed Cloud services, NGINX products, F5OS systems, and F5 AI Gateway. F5 Silverline services are vulnerable only when HTTP/2 enabled proxy configurations are in use.
F5 strongly recommends immediate implementation of available hotfixes for affected systems, while acknowledging that engineering hotfixes do not undergo the extensive quality assurance testing of regular releases.
For organizations unable to immediately apply patches, F5 suggests several mitigation strategies. The primary recommendation is disabling HTTP/2 and reverting to HTTP where configurations allow this change.
Additional mitigation options include implementing BIG-IP ASM/Advanced WAF DoS protection profiles with TPS and stress-based attributes, including Behavioral DoS Detection and Mitigation capabilities.
For BIG-IP Next SPK, CNF, and Kubernetes deployments, administrators can delete the F5SPKIngressHTTP2 Custom Resource where possible.
System administrators should monitor HTTP/2 profile statistics, watching for unusually high numbers of RST_STREAM frames sent and WINDOW_UPDATE frames received, which may indicate active exploitation attempts.
F5 acknowledges security researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel for discovering and responsibly disclosing this vulnerability.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
